Superfish adware frenzy over Lenovo 'betrayal of trust'
Hackers can exploit Lenovo weakness to intercept apparently secure communications
Superfish, the much-maligned adware that came pre-installed on Lenovo laptops, is but one of several "creepy" digital pests capable of wriggling past encrypted web-browsing sessions, cybersecurity experts warn.
Not even trusted banking and e-commerce sites are impregnable to what researchers call "man in the middle" attacks that could exploit the security flaw.
"We're just kind of scratching the surface," said Ken Westin, a senior security analyst with cybersecurity firm Tripwire. "I guarantee you within the next week or two, we'll start hearing more about things like this."
The vulnerability allows hackers to intercept secure communications, inject ads into encrypted sites and peer into what should be secure web traffic.
Dave Fewer, director of the Ottawa-based Canadian Internet Policy and Public Interest Clinic, described the flaw as "a huge betrayal of trust."
To understand why, it helps to get a grasp of how websites ensure safe web browsing, who could be affected, and why the adware was created.
What is Superfish?
Superfish is a visual search tool that analyzes images algorithmically to generate ads based on searches.
Ostensibly, the add-on was preloaded onto Lenovo computers so it could change or insert advertisements into a user's regular web browsing.
"It knows what you're looking at and can feed you ads as a result. So if you're looking at couches online, it'll tell show you ads for furniture," Fewer said. "Really creepy when you think about it."
Superfish circumvents the secure sockets layer (SSL) that is a standard security protocol for trusted websites.
"When you see a little lock icon and you see the HTTPS popping up there, you should have a certain amount of confidence that your communication is being encrypted," said Tom Keenan, a fellow with the Canadian Defence and Foreign Affairs Institute.
"This thing defeats that, so you think you're secure, but you're not."
What went wrong?
The adware "hijacks" website certificates that are typically only issued by recognized certificate authorities such as Symantec and Comodo, Keenan said.
While root certificates act as verified chains of trust in online transactions, the problem is that Superfish "signs" its own root certificates, Fewer said, "effectively tricking the operating system, and therefore the user, into thinking it's got legitimate business intercepting secure transactions."
For example, a user whose Lenovo laptop is compromised might check the website certificate on a banking website and see it's protected by "Superfish Inc." instead of a proper issuer of digital certificates.
The incentive for Superfish to do this might have something to do with not wanting its search-tracking abilities to be blocked by encrypted communications.
Who might be affected?
Lenovo, the world's largest PC manufacturer, identifies 43 different models of affected laptops and mobile devices.
The fact Superfish was pre-installed on all of them is worrisome, because most users don't take proactive steps to secure their hardware.
Devices shipped worldwide, including to Canada, between October 2014 and December 2014 were affected with the potentially malicious software.
A spokesperson with Public Safety Canada said the government "is aware of the Superfish vulnerability" and is "assessing the possible impact and sharing cyberthreat and mitigation information."
- Superfish defends hacker-helping software on Lenovo laptops
- Lenovo PCs sold with adware that may help hackers, experts warn
The U.S. Department of Homeland Security advised Lenovo customers to remove Superfish from their laptops last week.
Lenovo has introduced a Superfish remove tool, and some third-party firms such as the password service LastPass have created tools to help users check to see whether their devices are affected.
Why should consumers care?
The main concern is with "SSL spoofing," in which cybercriminals set up fake website certificate authorities.
Analysts call the ability to intercept, decrypt and inject communications between a host and server MITM (man-in-the-middle) eavesdropping.
Attackers could "impersonate" a legitimate website, "and there are no limits to what you can pretend to be," said LastPass CEO Joe Siegrist.
"[A cyber attacker] can pretend to be Gmail and watch all communications going through," Siegrist said. "Just about anybody who has network access can do this."
Theft of banking passwords is another worry.
According to Siegrist, more than five per cent of people who have checked their laptops for Superfish via LastPass's online web tool have learned they were affected, including "Canadians on home networks, commercial networks, and universities."
How common are these MITM vulnerabilities?
If there's any positive outcome from the Superfish fallout, it's that the revelations have led to greater awareness of these types of vulnerabilities, said Westin, the threat intelligence expert with Tripwire.
I'd rather pay $20 more for a laptop that's private and secure than have to deal with this.— Ken Westin, Tripwire
"Researchers are finding these techniques are used by a lot of other companies," he said. "This thing with Lenovo is just the first shoe to drop."
Siegrist said that while "seven or eight" Superfish-style codes have recently been identified, Superfish is catching the most flak because it was pre-installed and distributed so broadly on Lenovo products.
Lenovo is also not the only PC manufacturer to pre-install software on new computers, however.
Keenan said that bundling in such "annoyware" often brings down costs of new computers, as software makers might pay the vendors for the privilege of being preloaded.
For his part, Westin wants to see the practice to stop.
"I'd rather pay $20 more for a laptop that's private and secure than have to deal with this," he said.
How can consumers protect themselves?
The best practice is to completely wipe Windows and reinstall it after bringing a PC home, Westin said.
It's the only way to eliminate unwanted customizations.
"I think it's a way of them decreasing the cost of the laptop, but also it's just a general outdated monetization strategy," he said.
Although no attacks have as of yet been reported, Lenovo's image has already taken a big hit.
"When you spend a bunch of money on a laptop and find out they compromise your security for their own profit, that's a bad thing," Westin said.
"It has a significant impact on the perception of the brand, and I think Lenovo's going to be hurt by the sales for a quite a long time."